The report analyzes how the MangLingHua group (APT-Q-37) has updated its phishing and delivery techniques, including CHM attachments and DDE automation, to target defense contractors such as the Bangladesh Navy. It also covers related activity from APT-Q-41 (Mōyā Xiàng) and APT-Q-39 (Snake) infrastructures and notes ongoing evasion and detection challenges. Hashtags: #APT-Q-37 #MangLingHua #DDEAuto #BangladeshNavy #APtQ-39Snake #MuuyDownLoader #ArtraDownloader
Keypoints
- The MangLingHua group (APT-Q-37) conducts phishing campaigns against defense-industry targets, impersonating military trade clients (e.g., Bangladesh Navy) using CHM attachments.
- Phishing payloads rely on DDE automation and document-based delivery (CHM, DDE auto, and macro documents) to bypass defenses.
- MSI payloads are downloaded via remote servers/FTP into victim directories and executed to drop backdoors like ArtraDownloader and MuuyDownLoader plugins.
- VBScript via a file like Scan.vbs creates scheduled tasks and acts as a persistence/collection mechanism; keylogging modules are also observed in plugins.
- The attackers use SFX and CHM formats to evade detection, replacing EXE with CHM to improve “anti-kill” capabilities, while macro documents are used in delivery.
- Infrastructures and tactics overlap with APT-Q-41 (Mōya Xiàng) and APT-Q-39 (Snake); defenders note cross-group tool sharing and evolving backend infrastructure.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Attachment – The MangLingHua group impersonates a defense contractor and sends phishing emails with CHM attachments to military-industrial targets. ‘The MangLingHua group impersonates a defense contractor (Bangladesh Navy) and delivers phishing emails with CHM attachments to defense contractors.’
- [T1105] Ingress Tool Transfer – Attackers deliver MSI payloads by uploading them to victim directories via FTP and then executing them. ‘Uploads MSI files to targeted victim directories via FTP’ and ‘execute MSI on remote servers.’
- [T1059.005] VBScript – VBScript in the MSI/CHM ecosystem creates scheduled tasks as part of persistence/collection. ‘VBS script contents… create scheduled tasks.’
- [T1027] Obfuscated/Compressed Files and Information – SFX/CDM-based delivery and CHM switching are used to evade detection. ‘Content changes in SFX, replacing EXE with CHM to evade杀.’
- [T1036] Masquerading – The extension/name changes (EXE to CHM) to masquerade as a different file type and evade basic defenses. ‘replacing exe with CHM to evade detection.’
- [T1056.001] Input Capture – Plugins include a keylogging module (e.g., 以键盘记录模块). ‘Keylogging module.’
- [T1071.001] Web Protocols – C2 communication via web channels/domains (the campaign uses multiple domains and a direct URL for C2). ‘C2 domains include rurushophoogtypnl.com, etc.’
Indicators of Compromise
- [MD5] context – CHM/SFX payloads used by APT-Q-37: 54ea5083ad67b15a249e07bb1a4fb3e0, 4069d394ff1e55fa9dde2f81567d681e, and 20 more hashes listed in the article
- [Domain] context – C2 domains associated with APT-Q-37: rurushophoogtypnl.com, botanoolifeapp.net, maildataserver.com, deliverymailserver.com, ekoconect.com, pnptrafcroutsvc.net, epapbuizhost.net, svc2mcxwave.net
- [URL] context – C2 URL: http://193.142.58.186/UihbywscTZ/45Ugty845nv7rt.php
- [IP] context – C2 IP: 193.142.58.186
- [File] context – Example dropper/documents: Technical Proposal of Portable Anti-Drone System.docx, China Great Wall Industry Corp (CGWIC) Profile and POC.docx, Payment Detail.docx